The Department Of Homeland Security Proposes New Rules Affecting Federal Government Contractors

This week, the Department of Homeland Security (“DHS”) issued three proposed rules expanding data security and privacy requirements for contractors and subcontractors. The proposed rules build upon other recent efforts by various federal agencies to strengthen safeguarding requirements for sensitive government information.  Given the increasing emphasis on data security and privacy, contractors and subcontractors are well advised to familiarize themselves with these new requirements and undertake a careful review of their current data security and privacy procedures to ensure they comply.

  • Privacy Training

DHS contracts currently require contractor and subcontractor employees to complete privacy training before accessing a Government system of records; handling Personally Identifiable Information and/or Sensitive Personally Identifiable Information; or designing, developing, maintaining, or operating a Government system of records. DHS proposes including this training requirement in the Homeland Security Acquisition Regulation (“HSAR”) and to make the training more easily accessible by hosting it on a public website.  By including the rule in the HSAR, DHS would standardize the obligation across all DHS contracts.  The new rule would require the training to be completed within thirty days of the award of a contract and on an annual basis thereafter.

DHS invites comment on the proposed rule. In particular, DHS asks commenters to offer their views on the burden, if any associated with the requirement to complete DHS-developed privacy training.  DHS also asks whether the industry should be given the flexibility to develop its own privacy training.  Comments must be submitted on or before March 20, 2017.

  • Information Technology Security Awareness Training

DHS currently requires contractor and subcontractor employees to complete information technology security awareness training before accessing DHS information systems and information resources. DHS proposes to amend the HSAR to require IT security awareness training for all contractor and subcontractor employees who will access (1) DHS information systems and information resources or (2) contractor owned and/or operated information systems and information resources capable of collecting, processing, storing or transmitting controlled unclassified information (“CUI”) (defined below).  DHS will require employees to undergo training and to sign DHS’s Rules of Behavior (“RoB”) before they are granted access to those systems and resources.  DHS also proposes to make this training and the RoB more easily accessible by hosting them on a public website.  Thereafter, annual training will be required.  In addition, contractors will be required to submit training certification and signed copies of the RoB to the contracting officer and maintain copies in their own records.

Through this proposed rule, DHS intends to require contractors to identify employees who will require access, to ensure that those employees complete training before they are granted access and annually thereafter, to provide to the government and maintain evidence that training has been conducted. Comments on the proposed rule are due on or before March 20, 2017.

  • Safeguarding of Controlled Unclassified Information

DHS’s third proposed rule will implement new security and privacy measures, including handling and incident reporting requirements, in order to better safeguard CUI. According to DHS, “[r]ecent high-profile breaches of Federal information further demonstrate the need to ensure that information security protections are clearly, effectively, and consistently addressed in contracts.”  Accordingly, the proposed rule – which addresses specific safeguarding requirements outlined in an Office of Management and Budget document outlining policy on managing government data – is intended to “strengthen[] and expand[]” upon existing HSAR language.

DHS’s proposed rule broadly defines “CUI” as “any information the Government creates or possesses, or an entity creates or possesses for or on behalf of the Government (other than classified information) that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls[,]” including any “such information which, if lost, misused, disclosed, or, without authorization is accessed, or modified, could adversely affect the national or homeland security interest, the conduct of Federal programs, or the privacy of individuals.” The new safeguarding requirements, which apply to both contractors and subcontractors, include mandatory contract clauses; collection, processing, storage, and transmittal guidelines (which incorporate by reference any existing DHS policies and procedures); incident reporting timelines; and inspection provisions. Comments on the proposed rule are due on or before March 20, 2017.

  • Other Recent Efforts To Safeguard Contract Information

DHS’s new rules follow a number of other recent efforts by the federal government to better control CUI and other sensitive government information.

Last fall, for example, the National Archives and Record Administration (“NARA”) issued a final rule standardizing marking and handling requirements for CUI. The final rule, which went into effect on November 14, 2016, clarifies and standardizes the treatment of CUI across the federal government.

NARA’s final rule defines “CUI” as an intermediate level of protected information between classified information and uncontrolled information.  As defined, it includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings.  The final rule also makes an important distinction between two types of systems that process, store or transmit CUI:  (1) information systems “used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency”; and (2) other systems that are not operated on behalf of an agency but that otherwise store, transmit, or process CUI.

Although the final rule directly applies only to federal agencies, it directs agencies to include CUI protection requirements in all federal agreements (including contracts, grants and licenses) that may involve such information.  As a result, its requirements indirectly extend to government contractors.  At the same time, however, it is likely that some government contractor systems will fall into the second category of systems and will not have to abide by the final rule’s restrictions.  A pending FAR case and anticipated forthcoming FAR regulation will further implement this directive for federal contractors.

Similarly, last year the Department of Defense (“DOD”), General Services Administration, and the National Aeronautics and Space Administration issued a new subpart and contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.”  The provision adds a number of new information security controls with which contractors must comply.

DOD’s final rule imposes a set of fifteen “basic” security controls for covered “contractor information systems” upon which “Federal contract information” transits or resides.  The new controls include: (1) limiting access to the information to authorized users; (2) limiting information system access to the types of transactions and functions that authorized users are permitted to execute; (3) verifying controls on connections to external information systems; (4) imposing controls on information that is posted or processed on publicly accessible information systems; (5) identifying information system users and processes acting on behalf of users or devices; (6) authenticating or verifying the identities of users, processes, and devices before allowing access to an information system; (7) sanitizing or destroying information system media containing Federal contract information before disposal, release, or reuse; (8) limiting physical access to information systems, equipment, and operating environments to authorized individuals; (9) escorting visitors and monitoring visitor activity, maintaining audit logs of physical access, and controlling and managing physical access devices; (10) monitoring, controlling, and protecting organizational communications at external boundaries and key internal boundaries of information systems; (11) implementing sub networks for publically accessible system components that are physically or logically separated from internal networks; (12) identifying, reporting, and correcting information and information system flaws in a timely manner; (13) providing protection from malicious code at appropriate locations within organizational information systems; (14) updating malicious code protection mechanisms when new releases are available; and (15) performing periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

“Federal contract information” is broadly defined to include any information provided by or generated for the federal government under a government contract.  It does not, however, include either:  (1) information provided by the Government to the public, such as on a website; or (2) simple transactional information, such as that needed to process payments.  A “covered contractor information system” is defined as one that is:  (1) owned or operated by a contractor; and (2) “possesses, stores, or transmits” Federal contract information.

ARTICLE BY Connie N BertramAmy Blackwood & Emilie Adams of Proskauer Rose LLP

Cyber-Attacks: A Problem In 2016, Still A Problem in 2017

cyber-attacks hacktivismA survey of nearly 600 organisations across a variety of industries globally has revealed 98% of these organisations experienced some form of cyber-attack in 2016. (We are left wondering if the other 2% just didn’t notice?)

The survey, conducted by cyber-security company Radware, also found that many organisations are still not prepared to face the threat landscape including that 40% of organisations do not have an incident response plan in place.

Respondents indicated that ransom was the top motivation behind cyber-attacks (41%), followed by insider threats (27%), political hacktivism (26%) and competition (26%).

Radware’s Vice President of Security Solutions, Carl Herberger, says that money is the top motivator in today’s threat landscape. He says “attackers employ an ever-increasing number of tactics to steal valuable information, from ransom attacks that can lock up a company’s data, to DDoS attacks that act as a smoke screen for information theft, to direct brute force or injection attacks that grant direct access to internal data”.

Radware predicts that in 2017, we will see an increase in the use of IoT botnets, cyber ransom, telephony DoS, permanent denial of service for data centre and IoT operations, and public transport being held hostage.

Not the most positive outlook for 2017, but it would be a brave person to suggest they are wrong with those predictions.

ARTICLE BY Cameron Abbott & Allison Wallace of K&L Gates
Copyright 2017 K & L Gates

The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors

White House data breach responseOn January 3, 2017, the Obama Administration issued a memorandum to all executive departments and agencies setting for a comprehensive policy for handling breaches of personally identifiable information (the “Memorandum”), replacing earlier guidance. Importantly, the Memorandum also affects federal agency contractors as well as grant recipients.

The Memorandum is not the first set of guidance to federal agencies and departments for reporting breaches of personally identifiable information (PII), but it establishes minimum standards going forward (agencies have to comply within 180 days from the date of the Memorandum). The Memorandum makes clear that it is not setting policy on information security, or protecting against malicious cyber activities and similar activities; topics related to the recent fiery debates concerning the 2016 election results and Russian influence.

The Memorandum sets out a detailed breach response policy covering topics such as preparedness, establishing a response plan, assessing incident risk, mitigation, and notification. For organizations that have not created a comprehensive breach response plan, the Memorandum could be a helpful resource, even for those not subject to it. But it should not be the only resource.

Below are some observations and distinctions worth noting.

  • PII definition. Unlike most state breach notification laws, the Memorandum defines PII broadly: information that can be used to distinguish to trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. So, for example, the notification obligation for a federal contractor will not just apply if Social Security numbers or credit card numbers have been compromised.
  • Breach definition. Breaches are not limited phishing attacks, hackings or similar intrusions. They include lost physical documents, sending an email to the wrong person, or inadvertently posting PII on a public website.
  • Training. Breach response training must be provided to individuals before they have access to federal PII. That training should advise the individuals not to wait for confirmation of a breach before reporting to the agency. A belief (or hope) that one will find that lost mobile device should not delay reporting.
  • Required provisions in federal contracts. Federal contractors that collect or maintain federal PII or use or operate an information system for a federal agency must be subject to certain requirements by contract. The Memorandum requires agencies to update their contracts with contractors to ensure the contracts contain certain provisions, such as requiring contractors to (i) encrypt PII in accordance with OMB Circular A-130, (ii) train employees, (iii) report suspected or confirmed breaches; (iv) be able to determine what PII was or could have been accessed and by whom, and identify initial attack vectors, and (v) allow for inspection and forensic analysis. Because agencies must ensure these provisions are uniform and consistent in all contracts, negotiation will be difficult. The Federal Acquisition Regulatory Council is directed to work the Office of Management and Budget to promptly develop appropriate contract clauses and regulatory coverage to address these requirements.
  • Risk of harm analysis. Agencies will need to go through a complex risk of harm analysis to determine the appropriate breach response. Notably, encryption of PII is not an automatic exception to notification.
  • Notification. The rules for timing and content of breach notification are similar to those in many of the state breach notification laws. The Memorandum also advises agencies to anticipate undeliverable mail and to have procedures for secondary notification, something not clearly expressed in most state notification laws. The Memorandum also suggests website FAQs, which can be more easily updated and tailored. Agency heads have ultimate responsibility for deciding whether notify. They can consider over-notification and should try to provide a single notice to cover multiple notification requirements. They also can require contractors to provide notification following contractor breaches.
  • Tabletop Exercises. The Memorandum makes clear that testing breach response plans is essential and expressly requires that tabletop exercises be conducted at least annually.

Federal contractors and federal grant recipients that have access to federal PII will need to revisit (or develop) their own breach response plans to ensure they comply with the Memorandum, as well as the requirements of the applicable federal agency or department which can be more stringent. Of course, those plans must also incorporate other breach response obligations the organizations may have, whether those obligations flow from other federal laws (e.g., HIPAA), state laws, or contracts with other entities. Putting aside presidential politics, cybersecurity threats are growing and increased regulation, enforcement and litigation exposure is likely.

Jackson Lewis P.C. © 2017

Swiss-US Privacy Shield Will Replace Swiss-US Data Protection Safe Harbor

Swiss Privacy ShieldOn January 11, 2017, the Swiss Federal Council announced that a new framework will govern the transfer of personal data from Switzerland to the US.  According to the Federal Council, the Swiss-US Privacy Shield Framework “will apply the same conditions as the European Union.”  The International Trade Administration stated that the US Department of Commerce will begin accepting certifications on April 12.  Certification will allow companies to comply with Swiss data protection requirements, facilitating transatlantic commerce.

  • The Federal Council made note of several changes from the Swiss-US Safe Harbor to the Swiss-US Privacy Shield, including:

  • “Stricter application of data protection principles by participant companies”

  • Heightened administration and supervision requirements by US authorities

  • Enhanced cooperation between the Swiss Federal Data Protection and Information Commissioner and the US Department of Commerce

  • A new arbitration body to handle claims

  • Introduction of an ombudsperson in the US Department of State, who will address Swiss persons’ concerns about the processing of their personal data by US intelligence services

Because the Swiss-US Privacy Shield aligns with the EU-US Privacy Shield, the self-certification process should not be overly burdensome.

However, in light of this change, it is important to reassess current business practices to determine whether a company is participating in the transfer of personal data from Switzerland to the US.  If so, companies should remove any references to the Safe Harbor, and should be ready to apply for self-certification.  Further, companies should prepare for changes to internal policies to comply with the new requirements under the Swiss-US Privacy Shield.

Copyright © 2017 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.

Law Firm Data Breaches: Big Law, Big Data, Big Problem

law firm data breachesThe Year of the Breach

2016 was the year that law firm data breaches landed and stayed squarely in both the national and international headlines. There have been numerous law firm data breaches involving incidents ranging from lost or stolen laptops and other portable media to deep intrusions exposing everything in the law firm’s network. In March, the FBI issued a warning that a cybercrime insider-trading scheme was targeting international law firms to gain non-public information to be used for financial gain. In April, perhaps the largest volume data breach of all time involved law firm Mossack Fonesca in Panama. Millions of documents and terabytes of leaked data aired the (dirty) laundry of dozens of companies, celebrities and global leaders. Finally, Chicago law firm, Johnson & Bell Ltd., was in the news in December when a proposed class action accusing them of failing to protect client data was unsealed.

A Duty to Safeguard

Law firms are warehouses of client information and how that information is protected is being increasingly regulated and scrutinized. The legal ethics rules require attorneys to take competent and reasonable measures to safeguard information relating to client. (ABA Model Rules 1.1, 1.6 and Comments). Attorneys also have contractual and regulatory obligations to protect information relating to clients and other personally identifiable information, financial and health, for example.

American Bar Association’s 2016 TechReport

Annually, the ABA conducts a Legal Technology Survey (Survey) to gauge the state of our industry vis-à-vis technology and data security. The Survey revealed that the largest firms (500 or more attorneys) reported experiencing the most security breaches, with 26% of respondents admitting they had experienced some type of breach. This is a generally upward trend from past years and analysts expect this number only to rise. This is likely because larger firms have more people, more technology and more data so there is a greater exposure surface and many more risk touch-points.

Consequences of Breach

The most serious consequence of a law firm security breach is loss or unauthorized access to sensitive client data. However, the Survey shows there was a low incidence of this, only about 2% of breaches overall resulted in loss of client data. Other concerning consequences of the breaches are significant though. 37% reported business downtime/loss of billable hours, 28% reported hefty fees for correction including consulting fees, 22% reported costs associated with having to replace hardware/software, and 14% reported loss of important files and information.

Employing & Increasing Safeguards Commonly Used in other Industries

The 2016 Survey shows that while many law firms are employing some safeguards and generally increasing and diversifying their use of those safeguards, our industry may not be using common security measures that other industries employ.

1. Programs and Policies. The first step of any organization in protecting its data is establishing a comprehensive data security program. Security programs should include measures to prevent breaches (like policies that regulate the use of technology) and measures to identify, protect, detect, respond to and recover from data breaches and security incidents. Any program should designate an individual, like a full-time privacy officer or information security director, who is responsible for coordinating security. However, the numbers show that the legal industry may not be up to speed on this basic need. Survey respondents reported their firms had the following documented policies:

Document or records management and retention policy: 56%

Email use policy: 49%

Internet use/computer use policy: 41%

Social media use: 34%

2. Assessments. Using security assessments conducted by independent third parties has been a growing security practice for other industries; however, law firms have been slow to adopt this security tool, with only 18% of law firms overall reporting that they had a full assessment.

3. Standards/Frameworks. Other industries use security standards and frameworks, like those published by the International Organization for Standardization (ISO) to provide approaches to information security programs or to seek formal security certification from one of these bodies. Overall, only 5% of law firms reported that they have received such a certification.

4. Encryption. Security professionals view encryption as a basic safeguard that should be widely deployed and it is increasingly being required by law for any personal information; however only 38% of overall respondents reported use of file encryption and only 15% use drive encryption. Email encryption has become inexpensive for businesses and easier to use with commercial email services yet overall only 26% of respondents reported using email encryption with confidential/privileged communications or documents sent to clients.

5. Cybersecurity Insurance. Many general liability and malpractice polices do not cover security incidents or data breaches, thus there is an increasing need for business to supplement their coverage with cybersecurity insurance. Unfortunately, only 17% of attorneys reported that they have cyber coverage.

Conclusion

It is important to note that the figures revealed by the 2016 Survey, while dismaying, may also be extremely conservative as law firms have a vested interest in keeping a breach of their client’s data as quiet as possible. There is also the very real possibility that many firms don’t yet know that they have been breached. The 2016 Survey demonstrates that there is still a lot of room for improvement in the privacy and data security space for law firms. As law firms continue to make the news for these types of incidents it is likely that improvement will come sooner rather than later.

2016 Cybersecurity Year in Review, and Data Privacy Trends to Watch in 2017

cybersecurity data privacyWith 2016 in the rear-view mirror, we have been reflecting on the many data privacy and cybersecurity legal developments of the past year, both in the U.S. and internationally, as well as focusing on trends to watch in the new year. With best wishes for a Happy New Year from all of us, we present a number of highlights from 2016, and suggest a few areas to watch in 2017.

U.S. Courts Wrestle With Law Enforcement Access to Data

Debate over law enforcement access to data stored by technology companies was perhaps the most visible privacy and cybersecurity issue of 2016, with far-reaching implications in both the U.S. and abroad. In July, the Second Circuit issued a decision in Microsoft’s challenge to a warrant issued under the Electronic Communications Privacy Act (ECPA), seeking email content stored in Ireland. The Second Circuit unanimously held that ECPA warrants cannot compel U.S. providers to disclose the contents of customer communications stored on foreign servers. In 2017, we expect that decision to have significant implications for U.S. technology companies, as well as consumers and companies that store data with U.S.-based providers. The government has sought rehearing en banc, and also has indicated that it intends to submit legislation to Congress to address the implications of the decision.  Congress has considered related issues in the International Communications Privacy Act.

Apple also engaged in a high-profile court battle with the government early in 2016 when the company refused the FBI’s request to unlock a terror suspect’s iPhone, though the dispute ended in March without a court decision when the FBI announced it had accessed the device without Apple’s assistance.  Congress continues to grapple with the consequences of that case to include considering several encryption-related legislative proposals.

U.S. Supreme Court Addresses Privacy Standing in Spokeo

The U.S. Supreme Court issued its highly anticipated decision in Spokeo in May, addressing whether plaintiffs have standing to pursue statutory damages even in the absence of harm under the Fair Credit Reporting Act (FCRA). The Court reaffirmed that constitutional standing in federal court requires “concrete” (i.e., actual) harm and offered several guiding principles to assist lower courts in determining whether standing requirements have been met.  Although the case specifically dealt with the FCRA, Spokeo has significant implications in privacy and data breach litigation because numerous federal privacy laws have been construed to allow statutory damages even in the absence of actual harm.  Lower courts have begun applying the decision in data breach cases, including a recent district court ruling that a named plaintiff’s allegations that stolen personal information was used to file a false tax return were sufficient to impart standing under Spokeo.  In 2017, we expect this process to continue, as lower courts continue to interpret the Supreme Court’s decision.

A New Framework for EU-U.S. Data Transfers

The EU-U.S. Privacy Shield, a new framework for the transfer of personal data between the EU and the U.S., was announced in February and finalized in July.  Negotiators in the EU and U.S. worked on an accelerated timeline following the invalidation of the Safe Harbor in late 2015 resulting in the Privacy Shield—a significantly more stringent framework than its predecessor.  Companies began self-certifying adherence to the Privacy Shield in August, and as of this post more than 1,300 companies have signed up at the Department of Commerce’s website.  In 2017, we see continued uncertainty in this area.  The Privacy Shield faces a legal challenge in the European Court of Justice, and another cross-border mechanism—standard contractual clauses—also is subject to an EU court action.  The Privacy Shield itself was based, in part, on an exchange of letters between the Obama Administration and the European Commission relating to mass surveillance, and it remains to be seen if the Trump Administration will continue the commitments made in those letters.  Relatedly, the European Parliament approved the EU-U.S. Umbrella Agreement in December—a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S.

Sweeping New Data Protection Laws Approved in Europe

The European Parliament passed into law the General Data Protection Regulation (GDPR) in April, a sweeping new set of privacy and data security rules that will take effect in mid-2018.  Unlike the EU Data Protection Directive which it replaces, the GDPR for the most part will have direct effect throughout the EU without requiring national implementation legislation.  Companies doing business in (or with companies operating in) the EU have begun preparing for compliance with the new requirements, and the Article 29 Working Party released the first set of guidance on the GDPR in December.  In 2017, we expect the Article 29 Working Party to continue to fill in some of the blanks left in the GDPR, and we also expect companies to intensify their preparation for the mid-2018 effective date of this landmark legislation.

FTC’s Data Security Authority Tested (Again) in LabMD

 Following the Third Circuit’s decision affirming the FTC’s authority to regulate corporate data security in Wyndham last year, the FTC sought to further bolster its data security authority in LabMD.  In July, the Commission unanimously vacated a prior Administrative Law Judge decision and found that LabMD’s actions were “unfair” under Section 5 of the FTC Act.  In November, however, the Eleventh Circuit stayed enforcement of the FTC’s LabMD order, finding that LabMD was likely to succeed on the merits because the FTC’s interpretations of aspects of the FTC Act relating to its data security authority were likely not reasonable. The case will now proceed on the merits, but the grant of the stay suggests that the Eleventh Circuit may be receptive to LabMD’s arguments for ultimate reversal of the LabMD order.  This could produce a circuit split between the Eleventh Circuit and the Third Circuit (which decided the Wyndham case), and thereby provide a basis for an attempt to secure Supreme Court review of the FTC’s jurisdiction.  Moreover, this case could provide a vehicle for a new FTC, with a Republican majority, to reconsider the agency’s current aggressive approach on “unfairness” as applied to data security.

Newly Established Cybersecurity Requirements and Guidelines

A number of U.S. states and standard-setting organizations issued broadly applicable cybersecurity requirements and guidelines in 2016.  In February, as part of the release of its 2016 Data Breach Report, the Office of the Attorney General for California established a de facto standard that companies doing business in California must, at a minimum, adopt twenty specific security controls established by the Center for Internet Security in order to have “reasonable” security practices in California.  And New York State proposed first-in-the-nation cybersecurity regulations that contain several mandatory security requirements for financial services institutions—those institutions that are regulated by New York banking, insurance, or financial services laws—which are currently being revised following industry comments and are scheduled to take effect in March 2017.

At the federal level, in October, the Department of Defense (DoD) finalized its safeguarding and cyber incident reporting obligations, requiring DoD contractors to implement specific security controls for information systems that store, process, or transmit DoD’s data and to report actual or possible cybersecurity incidents involving such data to DoD within 72 hours.  And in the coming year, similar security controls and reporting requirements will likely be required for all government contractors, as a September rule promulgated by the National Archives and Record Administration (NARA) set the stage for a Federal Acquisition Regulation (FAR) clause that will likely mirror DoD’s requirements.  In November, the National Institute of Standards and Technology (NIST) released guidance for small businesses on cybersecurity preparedness, including a list of “recommended practices” that are applicable not just to small businesses, but entities of all sizes.

New Cybersecurity and Privacy Laws and Regulations in China

As expected, authorities in China were active in passing a new Cybersecurity Law and proposing new cybersecurity and privacy regulations in 2016.  In November, the Standing Committee of China’s National People’s Congress passed China’s first Cybersecurity Law (the “Law”), which will take effect starting June 1, 2017.  Described as China’s “fundamental law” in the area of cybersecurity, the new Law articulates the government’s priorities with respect to “cyberspace sovereignty,” consolidates existing network security-related requirements (covering both cyber and physical aspects of networks), and grants government agencies greater power to regulate cyber activities.  It is the first Chinese law that systematically lays out the regulatory requirements on cybersecurity, subjecting many previously under-regulated or unregulated activities in cyberspace to government scrutiny.  At the same time, it seeks to balance the dual goals of enhancing cybersecurity and developing China’s digital economy, which relies heavily on the free flow of data.

China’s National Information Security Standardization Technical Committee (NISSTC) drafted a Personal Information Security Standard, a non-binding standard for data privacy and security practices of companies operating in China.  The NISSTC also released seven draft standards for comment in December, with a public comment period running until February 2, 2017.  The Cyberspace Administration of China (CAC) has also been active in 2016, issuing new rules for mobile apps in July, and draft regulations aimed at protecting minors in cyberspace in October. Finally, in August China’s State Administration of Industry and Commerce (SAIC) released draft regulations for public comment that would amend consumer protection laws to, among other things, supplement existing privacy obligations for companies operating in China.

FCC Releases Broadband Privacy Rules

The FCC’s increasing focus on privacy issues continued in 2016 with the release of broadband privacy rules.  The new rules, which were formally proposed in April, regulate the privacy practices of broadband Internet Service Providers (ISPs), including requirements to obtain consent for certain uses of consumer data and to adhere to certain data security practices.   The rules were adopted by the Commission in a 3-2 party-line vote in October, so their fate is quite uncertain under the incoming Republican administration.  Given that petitions for reconsideration currently are pending before the FCC and will remain so until the change in Administration, these rules could be one of the first areas in which the new FCC makes its mark on the policies of the Obama-era Commission.

Connected Devices and The Internet of Things

2016 saw several developments relating to the Internet of Things (IoT), such as internet-connected refrigerators and thermostats, which present unique opportunities and challenges from a privacy and cybersecurity perspective.  In April, the U.S. Department of Commerce issued a request for public comment on the benefits, challenges, and potential government roles for IoT, and the U.S. Senate Commerce Committee approved a bill (which remains pending) to establish a working group to study and facilitate IoT growth.  Around the same time, the European Commission released a series of industry-related initiatives addressing IoT, among other things.  And in November, NIST released cybersecurity guidance for IoT, and the Broadband Internet Technical Advisory Group released another report detailing the unique security and privacy challenges posed by IoT.  In 2017, we expect the focus on connected devices to escalate, particularly given the emergence of driverless cars and other innovative technologies.

Russia v. USA: Geo Political Cyber Warfare And Your Business

Cyber warfare, Russian Flag HackThe cyber war battlefield has expanded, and your business is now a fighter and a target.

A new U.S. Government report explains many reasons for identifying and penalizing Russian hackers, the Russian intelligence services, and the Russian leadership in response to hacks on U.S. government, political and business targets. The report contains detailed information that organizations can use to determine if the Russians have accessed their systems, plus a detailed list of prudent steps and best practices that all organizations should consider as part of their cyber security efforts.

The overarching message of the report is that the DNC hack was not an isolated incident but part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information.

The report is best understood as a call to arms for U.S. private sector and government entities to strengthen their vigilance and defenses against Russian Intelligence Services and join DHS and FBI in their effort to counter them. Many organizations believe that because they hold no state secrets, defense-related intellectual property, or sensitive information on government employees, they have no stake in geopolitical cyber security. DHS and the FBI are saying that this is not true. The national interest in cyber security is materially weakened whenever organizations with credibility and standing allow their domains to be breached and used conduits for cyber-attacks on others –as happened in the DNC breach. Furthermore, data collected from breaches of non-traditional targets is often used to create the highly-targeted and highly credible email packages for use in spear phishing campaigns against more traditional targets. Geopolitical cyber security is being “democratized” with wide ranging potential public policy implications.

On December 29, 2016, the United States Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) jointly identified the Russian civilian and military intelligence services (RIS) as responsible for the 2015-2016 hack of the Democratic National Committee and its leadership. (In a nod to investigatory confidentiality, the joint DHS/FBI report refers to the targets only as a “U.S. political party,” and “multiple senior party members.”) The U.S. government has given the RIS effort the rather unartfully chosen name of “GRIZZLY STEPPE.”1

The joint DHS/FBI report provides the most detailed public discussion to date by U.S. law enforcement and cyber security agencies of the means and methods used in a foreign government-sponsored cyber-attack against U.S. interests. In October 2016, DHS and the Director of National Intelligence had reported that they were “confident” that RIS was behind the DNC attack. But this is the first time that a DHS/FBI joint report had formally assigned culpability for a specific cyber-attack to a specific nation. It is also the first time that specific operational groups within a foreign cyber directorate have been singled out and their identifying practices, approaches and tools have been publically discussed.

The report links these operations by RIS to damaging or disruptive cyber-attacks committed in recent years on foreign interests.2 The report does not mention these attacks by name but apparently is referencing recent cyber-attacks on the Ukrainian electrical grid, banking system and other infrastructure,3 and on Estonian governmental and quasi-governmental entities. All of these cyber-attacks have been widely attributed to the Russian government, which denies that attribution.

As part of its call to arm, the DHS/FBI report provides “technical details regarding the tools and infrastructure” being used by the RIS “to compromise and exploit networks and endpoints associated with a range of U.S. Government, political and private sector entities.

The report shows how groups working within RIS have been able to plant command and control infrastructure within the servers and domains of U.S. organizations and educational institutions –infrastructure they used to send phishing emails to potential victims and to serve as a pipeline to receive and retransmit stolen data once a breach was established. The report infers that the Russians were able to camouflage their actions by routing this malicious internet traffic through otherwise known and legitimate –perhaps even well-respected— private and educational organizations.

In the report, DHS and the FBI provides “technical indicators related to many of these operations, recommended mitigations, suggested actions to take in response to these the indicators provided and information on how to report such incidents to the U.S. Government.” The technical indicators include the specific software fingerprints (Yara signatures) for the malware planted by RIS, and the specific IP addresses, URLs and file hashes that the RIS operatives have used in their attacks on U.S. computer systems.

DHS and the FBI call on the private sector and others to put this information to immediate use to identify and remediate on-going RIS breaches and to limit future vulnerabilities. It is likely that other private and governmental entities are subject to active and breaches by the RIS, and may be serving as infrastructure for on-going RIS attacks on others. To this end, the report recommends that network administrators “review the IP addresses, file hashes, and Yara signatures provided and add the IP addresses to their watchlists” to determine whether malicious activity is taking place in their systems today.

The DHS/FBI report cautions that some of the traffic crossing network perimeters or firewalls and reflecting the suspicious IP addresses and other identifying information may prove to be legitimate. Conversely, some traffic that appears legitimate may involve RIS or others scanning public-facing servers (e.g., HTTP, HTTPS, FTP) to identify websites that are vulnerable cross-site scripting (XSS) or Structured Query Language (SQL) injection attacks. This scanning can be the precursor to exploitation of the vulnerabilities found.

The FBI and DHS cannot impose direct legal consequences on private sector and governmental entities who fail to act on this information. But scenarios can be envisioned where the failure to do so could be considered a failure to provide the minimum levels of data protection that are may be required by the multiple statutory, regulatory and common law constructs under which businesses operate today. Womble Carlyle advises its clients to evaluate the DHS/FBI report carefully, and to document and the actions and decisions taken response to it for future reference.

As to the specific DNC attack, the report concludes that two separate groups within RIS breached the DNC computer system. These teams used different techniques and malware exploits and the report does not show direct coordination between the breaches. The report designates the two RIS hacking groups as APT (Advanced Persistent Threat) 28 and APT 29.

(An advanced persistent threat actor or APT is a hacker or team of hackers whose sophisticated methods, choice of targets, and the determination to breach those specific targets set them apart from even the most accomplished global cybercriminals. APTs are generally assumed to be associated with nation states and other political actors.)

The report indicates that the initial breach of the DNC computer resulted from a 2015 spear phishing campaign in which APT29 sent “out emails containing a malicious link to over 1,000 recipients, including multiple U.S. Government victims.” But even before this, APT29 had breached a number of “legitimate [internet] domains, to include domains associated with U.S. organizations and educational institutions.” Through these earlier breaches, APT29 had set up operational infrastructure (i.e., false user and email accounts) within the computer domains of these legitimate organizations. These accounts allowed APT29 to send spear phishing emails to its victims from legitimate organizations, possibly organizations known to and respected by the potential victims, albeit from unauthorized and fraudulent email accounts hosted there.

Links in the spear phishing emails directed the victims to web pages created by APT29 and hosted, once again, on the domains of these otherwise legitimate organizations. The pages included malware droppers which downloaded malicious software on the targets’ computer system when the victims’ clicked on the links.

At least one targeted individual, apparently a “U.S. Government victim,” activated the malicious link from a computer on the DNC’s system. The downloaded malware granted APT29 remote access to that individual’s computer which the group then used to obtain control over the computer’s operating systems (PowerShell commands). The group established “persistence” in the form of difficult to detect “back doors” allowing its members to come and go on the system at will. They “escalated privileges” harvesting credentials that allowed them wider and wider access to the data on the DNC’s system. They created their own user accounts on the DNC domains to receive, encrypt and exfiltrate (steal) data. They conducted surveillance and began exporting data using encrypted connections.

Operational infrastructure unwittingly hosted on legitimate sites formed the pipeline for breaching the DNC and transmitting the stolen data to Russia. This made the malicious nature of the transfers harder to detect.

A second breach occurred in the spring of 2016 when a separate RIS group, APT28, hacked the DNC using a different spear phishing technique. DHS and the FBI report that APT28’s established modus operandi is to “leverage[e] domains that closely mimic those of targeted organizations.” This can mean, for example, substituting www.yourcompany.co or www.youcompany.com for www.yourcompany.com. Spear phishing emails can be sent that spoof an email from the targets’ IT department or other leadership. The email instructs the targets to confirm or update their passwords using a link provided. The link is to a fraudulent web page on an unwitting host’s system. If the targets click on the link and enter passwords as instructed, their credentials are immediately transmitted to the hacker who uses them to gain access to the computer and begin uploading malware and conducting exploits.

APT28’s approach appears to gained access to the email accounts of “multiple senior party members” at the DNC. The report indicates that the 19,000 emails and other documents posted on WikiLeaks on the eve of the Democratic National Convention were harvested by APT28.

Other reports indicate that it was APT28’s attempts to breach the DNC’s computers in the spring of 2016 that led to DNC to retain cybersecurity consultants to look for a potential breach. Apparently, by the time remedial action could be taken the damage had been done. It also seems that the investigation into the APT28 cyber-attack lead to the discovery of the older, on-going APT29 breach, which may explain the fact that the team responsible for the older breach was assigned the higher reference number.

The DHS/FBI report does not say which “U.S. organizations and educational institutions” were the unwitting hosts to the RIS’s activities. But it is very reasonable to assume that sometime in the summer of 2016, a legitimate and undoubtedly respected U.S. organization or educational institution received a call from the FBI telling them that their lax cyber security policies materially contributed to what the U.S. government is now reporting to be a deliberate attempt by Russia to subvert the U.S. political process. Other organizations may be in a similar situation today, with RIS actively using their infrastructure to carry out cyber-attacks on other U.S. interests.

Would an organization become civilly liable, if absent good reasons, it were to ignore the tools and recommendations cited in this report and then becomes (or continues to be used as) the conduit for future data breaches that injure others? The law on this point is in its infancy. The answer will only come when courts resolve claims by specific plaintiffs seek against specific defendants in future lawsuits. But the process for creating future precedents on these matters will likely be slow, embarrassing and expensive for the defendants involved. And the resulting reputational black-eye may represent the greatest cost of all.

Copyright © 2016 Womble Carlyle Sandridge & Rice, PLLC. All Rights Reserved.


1 Would a second such cyber-attack become the “GRIZZLY TWO-STEPPE” or simply “DANCING BEAR?”

2 http://www.wsj.com/articles/behind-russias-cyber-strategy-1483140188

3 http://www.wsj.com/articles/cyber-experts-cite-link-between-dnc-hacks-an…

President Obama Authorizes Additional Sanctions on Russian Individuals and Entities: Executive Order 13964

Originally, EO 13964 focused on cyber-enabled malicious activities that harmed or significantly compromised the provision of services by entities in a critical infrastructure sector. This included significant disruptions to the availability of a computer or network of computers, or causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

In light of Russia’s recent use of cyber means to undermine democratic processes, the president has amended the EO to cover additional activities, authorizing sanctions on individuals/entities who tamper with, alter, or cause misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions. Under this authority, the president has sanctioned nine entities and individuals, including two Russian intelligence services (the GRU and the FSB), four individual officers of the GRU and three companies that provided material support to GRU’s cyber operations.

These new sanctions highlight the importance of regular and diligent screening of transactions, as well as the need to periodically review existing screening practices to ensure that they are up to date. It is critical to remember that an individual who may have been an acceptable business partner one day may be on a sanctions list the next.

©2016 Drinker Biddle & Reath LLP. All Rights Reserved

House Energy and Commerce Committee Holds Hearing on Security of Internet of Things

What the experts are saying.

The hearing was motivated by the revelation that cybersecurity is no longer just about protecting  laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.

These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.

Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.

Looking ahead to the future.

Currently, there are few market incentives to spend time and money producing more secure encrypted devices.  There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.

Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.

ARTICLE BY Cynthia J. Larose, Michael B. Katz & Joanne Dynak of Mintz Levin
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Cybersecurity Due Diligence Is Crucial in All M&A—Including Energy M&A Transactions

Can a single data breach kill or sideline a deal? Perhaps so. Last month Verizon signaled that Yahoo!’s disclosure of a 2014 cyberattack might be a “material” change to its July $4.83 billion takeover bid—which could lead Verizon to renegotiate or even drop the deal entirely. Concern over cybersecurity issues is not unique to technology or telecommunications combinations. In a 2016 NYSE Governance Services survey of public company directors and officers, only 26% of respondents would consider acquiring a company that recently suffered a high-profile data breach—while 85% of respondents claimed that it was “very” or “somewhat” likely that a major security vulnerability would affect a merger or acquisition under their watch (e.g., 52% said it would significantly lower valuation).

Bottom Line: Cybersecurity should play a more meaningful role in the due diligence portion of any potential M&A deal. Certainly this is so when a material portion of the value in the acquisition comes from intangible assets that might be most vulnerable to hackers. Financial information comes to mind. Personal information of employees does as well. But companies also need to be concerned about their trade secrets, know-how and other confidential business information whose value inheres in its secrecy. Therefore, a merely perfunctory approach to cybersecurity can become very costly. The union of companies today is a union of information, malware and all.

Energy M&A Is Not Immune

To weather the plunge in prices, many oil companies have sought out new innovations to reduce the cost of extraction and exploration. Investments in digital technologies will likely only increase—a 2015 Microsoft and Accenture survey of oil and gas industry professionals found that “Big Data” and the “Industrial Internet of Things” (IIoT) are targets for greater spend in the next three to five years. Cybersecurity threats were perceived in the survey as one of the top two barriers to realizing value from these technologies.

These developments in energy industry—bigger data and bigger vulnerabilities—are here to stay. The proposed merger of General Electric and Baker Hughes also speaks to the growing importance of analytics to oil production. Commentators note that the acquisition would allow GE more fully to implement its Predix platform, an application of IIoT to connect everything from wellhead sensors to spreadsheets. However, as last month’s massive cyberattack on DNS provider Dyn, Inc. demonstrated, the IIoT holds unique challenges as well as great promise for operational efficiency. (In this attack, reportedly 400,000 internet-linked gadgets were hacked and used to reroute web traffic to overload servers.)

Bottom Line: Robust cybersecurity diligence should be de rigueur for energy M&A.

What Can Companies Do to Protect Deal Value?

For starters, energy companies should treat cybersecurity as a separate and more involved category for due diligence.

Liability for or damages from legacy data breaches or malware can become expensive—damages to systems, theft of information and liability from the release of personal or reputation-damaging information, to name a few. Therefore, anticipating problems post-merger, cataloguing past vulnerabilities and most importantly, discovering actual breaches before closing is crucial to avoid deals blowing hot and cold.

Companies should retain IT specialists who can do an objective assessment of the cybersecurity posture of a proposed merger or acquisition. This can help prospective acquirers better determine the adequacy of a target’s cybersecurity programs, such as its policies over incident response, how access to data is distributed, the extent of a company’s online presence and vulnerabilities, and how remediation of any potential cyberthreats or actual breaches may best proceed.

A cybersecurity questionnaire should also be developed, covering such topics as:

  • How and where has company data been stored?

  • Who has had access?

  • Have there been any actual or attempted intrusions into (or leaks) of company data?

An acquirer could further insist on specific representations and warranties from a target company regarding their cybersecurity compliance, as well as bargain towards indemnity for prior data breaches.

On the target side, energy companies should prepare (in turn) for more scrutiny over their data security and privacy practices. Among other benefits to “knowing thyself,” getting ahead of this process should offer targeted companies a better negotiating position. It would also allow them to take a more proactive role in defining the policies of the combined company post-merger. At the very least, these efforts could help avoid the kind of hiccups and uncertainties that lead to undervaluation. In any event, poor cybersecurity practices can give an impression that a target lacks risk management in other areas—not an ideal pose to strike in any bargain.

Parting Thoughts

It is a trope in cybersecurity writing to invoke figures like Sun Tzu and shoehorn in quotes about war stratagem. Well, these habits are in some ways unavoidable: For all intents and purposes, fighting anonymous hackers resembles battle prep—a method of self-awareness and readiness that defies box-checking.

Energy companies could take these words to heart from the inestimable Miyamoto Musashi, a samurai who won 60 duels: “If you consciously try to thwart opponents, you are already late.” (A sentiment echoed more recently by Mike Tyson’s truistic “Everyone has a plan until they get punched in the mouth.”)

And This Key Takeaway: Any cybersecurity program must go hand-in-hand with a corporate culture that respects data as among its most valued assets. Efforts in detection, reporting and remediation are challenges that fall throughout the ranks and, if reflexive to the unknown, stand the best chance of being fully realized.

Bottom Line: Mind Your Data!